Privacy, Patients and Healthcare - where the rubber hits the road

If you want to really sit at the bleeding edge of personal privacy, spend some time thinking about storing and sharing personal health records for entire population. That's what Scotland's National Health Service embarked on and succeeded in delivering.

Dr Libby Morris is a GP who has been working with electronic health records for the last decade from her practice in Scotland. As well as working as a GP, Dr Morris also works from the Scottish government as the lead clinical advisor in eHealth.

Scotland's NHS operates independently of England's so it's quite small - about 1000 practices and 170 hospitals and nearly 700 community pharmacists - according to Dr Morris. This made the project manageable and not massive in scope. There's a single ambulance system.

"It's a nice size," Dr Morris told delegates at the IAPPANZ Summit. "We've only got two clinical systems which are used by all of the practices. One system, which is used by the ambulance, and approximately three that are used by secondary carers. So, it is possible to have integrated records if you can sort out information properly".

Another advantage the project had was that GPs had been using electronic systems for about 20 years - the only paper records still being held were archival and no longer being added to. Medical practices are connected to pharmacies so prescription data was already shared. Paper-based information is routinely scanned and electronically stored.

Almost every other element from outpatients programs to maternity services use electronic record keeping although there was a significant challenge as many of those systems were connected.

"The Emergency Care Summary was a particular project that was designed specifically for patients who needed out of hours care," explained Dr Morris.

In Scotland, everyone has a designated GP - unlike Australia where we can visit whatever doctor we want. So, while most of an individual's healthcare is managed by a single GP emergency care might be handled by someone completely different. That meant, even though the patient might know some of their medical history, the treating physician would not have a complete medical picture.

"We devised, what we called, an Emergency Care Summary," explained Dr Morris.

"It was very specific. It was to provide a medical summary for patients when they were not in their GPs surgery. It was designed to improve the care and safety of patients. And it was coming from the general practice records".

The issue of whether patients needed to give specific consent for the data to be shared was one that the Scottish NHS mused over for some time. At the end, common sense prevailed.

"People have strong feelings about consent. But it was about changing the culture. Twenty years ago, general practice was absolutely paranoid about their own records, about patient information. Secondary care were, maybe, a little bit lax so changing culture was really important. Putting specific consent to look at the records wasn't a big thing. It wasn't about signing consent forms or making a big fuss. It was simply that if someone turns up in the ED or national triage system, ask them a quick question - 'Do you mind if I look at your records?'. It was just good manners really," explained Dr Morris.

Patients are able to opt in and out from that consent and there are strong controls and reporting around access to records so an audit trail could be established to know who looked at particular records and how much time they spent looking at that data. As the data was being copied from their GP to the hospital or other facility, if consent was withdrawn, the data is deleted with the original retained by the registered GP.

The system has been extremely successful with use increasing every year and an extended to secondary carers such as hospital pharmacists. Costs have been well managed with independent audits from the EU revealing a very positive return on the investment. Patient access is now being developed.

Although the project's initial focus was on patient care, the Scottish NHS is now looking at how that data can be used for secondary applications such as informing new services, research and plan new initiatives.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags patientsIAPPANZ SummitHealthcareLeadersEnex TestLab #iappANZGP emergencyDr Libby MorrisehealthInformation TechnologyScotland's National HealthprivacyCSO Australia

More about CSOEnex TestLabEU

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts